Let’s Encrypt and DreamHost

Maybe you’ve heard this rallying cry in some of the Internet’s nerdier corners; maybe not.

HTTPS Everywhere is one of the most significant ideas to come along since the Internet was created, and it embodies a simple sounding goal — encrypt all web traffic.

Thanks to Edward Snowden’s revelations, the world now knows that virtually all of their Internet traffic (innocent or otherwise) is being monitored at any given time. Who’s doing the monitoring? A lot of different governments around the world, for starters — and that’s just what he told us about.

Anyone on the Internet can peek at traffic and spy on anyone or anything, with or without just cause.

DreamHost believes that your private data should remain private. You should have a reasonable expectation that your interactions with a website won’t be monitored by a third party — ever.

Unfortunately, what we believe and how the Internet works are two different things.

One good solution to keeping your private data private is encryption!

You know how when you visit a secure site, that little lock icon pops up in your browser’s toolbar? One of these cute fellas:

That icon is your assurance that traffic between your browser and the site that you’re visiting is encrypted and un-eavesedroppable. It’s not just limited to keeping your credit card details safe — all of your web traffic can be encrypted!

As a website owner, if you want to turn that icon on and enable encryption, you’ll need obtain a secure certificate from a trusted party that’s been authorized to issue them. And, like a lot of things on the Internet designed to make your life better, you’d need to pay a recurring fee for it. Certificates can be purchased from a few different places online. Heck, we even sell them ourselves at an industry-leading $15 per year!

Pricing for secure certificates varies wildly — we’ve seen them priced as high as $300 per year, and we’re sure that’s not the ceiling. But here’s the secret that the SSL industry doesn’t want you to know: SSL certificates are all the same.
So why doesn’t everyone just buy cheap SSL certificates and use them? Why isn’t every website using encryption today?

It’s because people are lazy, cheap, or don’t want to learn new things. Even a fee as low as one dollar can be a barrier to entry.

Two employees at Mozilla (Josh Aas and Eric Rescorla) recognized this a while ago, and formed a non-profit organization called “Let’s Encrypt“.

Let’s Encrypt’s entire mission is to do exactly what you’d expect – secure the web – and to do it in a way that makes life easier and better for everyone.

Lets Encrypt issues free secure certificates to domain holders.

Free.Completely free! In fact, they just started doing this (in beta) today.

Certificates created by Let’s Encrypt are functionally identical to any certificate you’d spend money for elsewhere. They’re recognized as secure across all major web browsers with no additional work or configuration required by users. These certificates are valid for 90 days, and in the future we will auto-renew any certificates generated through DreamHost!

Let’s Encrypt is working to address a fundamental oversight of the web’s design. End to end encryption for all web traffic is not only possible, it’s now easier than ever.

DreamHost is committed to supporting Let’s Encrypt, even if it means taking a hit on the chin in lost certificate sales.

DreamHost users will soon be able to generate and enable Let’s Encrypt certificates directly within their control panel. Who knows — now that certificates are free, we may even enable HTTPS for all new customers by default!

In the meantime, while we’re working to enable that functionality, you can contact our support team by submitting a ticket or starting a LiveChat to express your interest in Let’s Encrypt. We’ll be sure to contact you once DreamHost is fully Let’s Encrypt-enabled!

If you’re not entirely comfortable with the Let’s Encrypt approach to democratizing encryption, don’t worry! You’ll still be able to purchase secure certificates through the DreamHost control panel from Comodo for $15 per year. Functionally, they’re the same! Financially, they are fifteen dollars more expensive than free certificates. Up to you!

The web’s about to get safer, and we can’t wait to watch it happen!

Update: An earlier version of this post claimed that the Electronic Frontier Foundation created Let’s Encrypt. This post has been updated to reflect reality. My bad. -Brett

Update: An earlier version of this post encouraged users to start a Live Chat session for support. Unfortunately issues with Let’s Encrypt cannot be handled over Live Chat at this time. Please submit a ticket if help is needed!

36 Comments

I have it installed manually on my DreamHost VPS and installation was a nightmare. It is still not properly installed because Chrome shows an outdated encryption message. I hope when it is rolled out, I can undo the manual install and switch to the automated process and enable it properly?

It assumes you are familiar with OpenSSL and perhaps 100x complicated than a single (or two, I’m assuming!) click solution DreamHost is brewing now, but if you want to get started today to get a certificate that works on your DreamHost hosted domain, you may want to look into this. I’ve used this one for one of my domains and works great.

It would be really nice if you finally would like to ad https transport layer security to the MAILMAN configuration web interface! It is not possible to log into that web interface without exposing the password over unencrypted http – I wonder how this can survive since years! Offering https would be like a huge step forward, please do it, thanks!

BTW this would be a great opportunity to offer encrypted mail transport with actually valid certificates for the domains hosted at dreamhost! Certainly one or two days more of work for any seasoned admin, but why not just do it for the fun of it? People will love it and it is easy to do!

“But here’s the secret that the SSL industry doesn’t want you to know: SSL certificates are all the same.”

Is that true? Does Let’s Encrypt include the organization name of who they are issuing the certificate to? TLS certificates perform two functions, they provide a level of assurance as to the identify of whom you are communicating with and provide a level of assurance that that communication is private.

What level of assurance does Let’s Encrypt offer for the certificates it mints?

[…] Of course it’s going to be even better when hosting providers begin implementing Let’s Encrypt on their servers especially for their shared hosting, so that they can automatically take care of getting and installing certificates from Let’s Encrypt (here’s a list of hosts that are working on it). In that case a lifetime of 90 days won’t be an issue, and this is what the people at Let’s Encrypt are going for in the first place. Here’s what DreamHost is doing: […]

Regarding those extremely expensive HTTPS certificates you mention, they are at least one of the following:
– Certificates issued under Extended Validation schemes, where the CA performs exhaustive verification of the identity of the organization that requested the certificate, a long and costly process.
– Hosting providers and CDNs who require self-owned certificates to be installed on special dedicated systems where the availability of such systems on the provider’s service is very limited.

One request to prioritize (which I believe you are already working on but correct me if I’m wrong):

Add support for DreamPress + Varnish + SSL. It appears after adding SSL support for our site, we no longer have Varnish entirely working. When testing with http://www.isvarnishingworking.com I quite often get the following:

Varnish appears to be responding at that url, but the “Age” header is less than 1.

This means that either, 1) you checked right when Varnish cleared it’s cache for that url, or 2) for whatever reason Varnish is not actually serving the content for that url from cache.

I noticed that the privkey.pem file that letsencrypt gives you (which I got by running ./letsencrypt certonly –authenticator manual) is in slightly the wrong format for dreamhost’s “add secure hosting” config page. But that’s easy to fix: I got the RSA PRIVATE KEY I needed from gnutls certtool (certtool –key-info –infile privkey.pem). I’m sure openssl would also tell you (somehow).

Thank you so much for this fantastic service, DreamHost. After a week of tweaking and finally catching on that it was our active .htaccess that was giving us grief, we are fully SSL. Now adding this added protection is easy for us. Yet again, DreamHost delivers a great service!

I’ve gotta say that this is such a trustworthy step from a web hosting company. One of the reasons I joined with DreamHost recently was because they did this. It just makes me think that they must be doing even more in their customers’ best interest.

@Rob, I also don’t see any mention of auto-renewal in the control panel, but in this article it does mention that “These certificates are valid for 90 days, and in the future we will auto-renew any certificates generated through DreamHost!” I am hoping that means that they will do so, but I’ll be keeping an eye on it when my cert is due for renewal.

The main reason why HTTPS is utilized today is to keep important information sent up the internet encrypted in order that just the anticipated receiver can understand it. And this is very important as the info you transmit on the net is passed from one computer to another to reach the destination server.